87 lines
2.4 KiB
Plaintext
87 lines
2.4 KiB
Plaintext
## map directive must be in http context
|
|
# Uncomment this if you use Auth SSL:
|
|
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
|
|
# default "";
|
|
# ~/CN=(?<CN>[^/]+) $CN;
|
|
#}
|
|
%set %%webDomain = %%authWebName.split('.',1)[1]
|
|
|
|
server {
|
|
listen 80;
|
|
server_name %%authWebName;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443;
|
|
ssl on;
|
|
%if %%cert_type == "letsencrypt"
|
|
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
|
|
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
|
|
%else
|
|
ssl_certificate %%server_cert;
|
|
ssl_certificate_key %%server_key;
|
|
%end if
|
|
ssl_client_certificate /etc/ssl/certs/ca..crt;
|
|
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
|
|
server_name %%authWebName;
|
|
root /usr/share/lemonldap-ng/portal/htdocs/;
|
|
|
|
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
|
|
rewrite ^/(.*)$ /index.psgi/$1 break;
|
|
}
|
|
|
|
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
|
|
# Note that Content-Security-Policy header is generated by portal itself
|
|
|
|
# FastCGI configuration
|
|
include /etc/nginx/fastcgi_params;
|
|
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
|
fastcgi_param LLTYPE psgi;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
fastcgi_hide_header Content-Security-Policy;
|
|
add_header Content-Security-Policy "default-src 'self'; form-action 'self' http://*.%%webDomain https://*.%%webDomain; object-src 'none'";
|
|
|
|
}
|
|
|
|
index index.psgi;
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
|
|
# Uncomment this if you use https only
|
|
#add_header Strict-Transport-Security "max-age=15768000";
|
|
}
|
|
|
|
location /static/ {
|
|
alias /usr/share/lemonldap-ng/portal/htdocs/static/;
|
|
}
|
|
|
|
# REST/SOAP functions for sessions management (disabled by default)
|
|
location /index.psgi/adminSessions {
|
|
deny all;
|
|
}
|
|
|
|
# REST/SOAP functions for sessions access (disabled by default)
|
|
location /index.psgi/sessions {
|
|
deny all;
|
|
}
|
|
|
|
# REST/SOAP functions for configuration access (disabled by default)
|
|
location /index.psgi/config {
|
|
deny all;
|
|
}
|
|
|
|
# REST/SOAP functions for notification insertion (disabled by default)
|
|
location /index.psgi/notification {
|
|
deny all;
|
|
}
|
|
|
|
# DEBIAN
|
|
# If install was made with USEDEBIANLIBS (official releases), uncomment this
|
|
#location /javascript/ {
|
|
# alias /usr/share/javascript/;
|
|
#}
|
|
}
|